Encryption Requirements
Introduction
- Encryption is the process of making information unreadable to protect it from unauthorized access. After information has been encrypted, a secret key or password is needed to unencrypt it and make it readable again. This document defines standards that Users must comply with for encrypting Devices and files used to access or store UBC Electronic Information so that the information is protected from unauthorized access. This standard may also be used to protect the User’s own personal data, e.g. personal banking information.
- This standard incorporates the legal requirement to encrypt Personal Information stored on Devices, which has been affirmed by the British Columbia Information and Privacy Commissioner in their interpretation of the BC Freedom of Information and Protection of Privacy Act (FIPPA).
- The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
Password Protection and Zipping
- Password protecting a Device or file merely creates a barrier that can be easily bypassed by a technically knowledgeable individual. By contrast, encrypting a Device or file protects information by “scrambling” it to make it unreadable. It is virtually impossible to bypass Encryption that complies with UBC standards.
- Zipping files does not automatically encrypt them; a zip file is simply a way to compress data into an easy-to-transport package. Most zip programs contain the ability to protect the compressed file with strong Encryption, but this feature is not turned on by default.
- For instructions on encrypting Word, Excel and other general files, refer to the How to Encrypt Files Using Common Applications guideline.
- For requirements on emailing UBC Electronic Information, refer to the Transmission and Sharing of UBC Electronic Information standard.
Storage Encryption Risk and Classification Model
- For details on the types of risks associated with the storage of information, and which Encryption tiers mitigate which risks, refer to Storage Encryption Risk and Classification Model section of the Cryptographic Controls standard.
Device Encryption Requirements
- Encryption requirements apply to Devices, whether UBC-supplied or personally-owned, that are used to access UBC Electronic Information and Systems, or store UBC Electronic Information. At a minimum, Encryption must be implemented as follows:
§ Device Types Encryption Requirements Recommended Toolset 4.1.1 Laptop and desktop computers (Workstations) Must be encrypted with Tier 1 Encryption.
For Users working remotely on personally-owned laptop or desktop computers, refer to the Working Remotely standard for supplemental guidance.Use native Encryption for Windows (BitLocker), macOS (FileVault) or Linux (see section 6). 4.1.2 Smartphones, tablets and PDAs Must be encrypted with Tier 1 Encryption. Use native Encryption for Apple or Android Mobile Devices.
Apple and Android Mobile Devices with a vendor-supported OS that is still receiving updates may already be encrypted by default.4.1.3 Mobile storage devices/media Must be encrypted with Tier 1 Encryption. Refer to How to Encrypt USB Sticks and Other Removable Media guideline. - If Users are travelling abroad with a laptop that has an encrypted drive or that contains encrypted information, authorities of that country may require them to unencrypt the information or hand over the Encryption keys (see Security Considerations for International Travel with Mobile Devices guideline).
- The requirements in the How to Report Incidents section of the Reporting Cybersecurity Incidents standard must be followed in the event of a lost or stolen Device.
IT Infrastructure Encryption Requirements
- Encryption requirements apply to all UBC Electronic Information and Systems, including those stored and accessed in cloud-based technologies. In all cases, the best practice is to encrypt with Tier 3 Encryption or Tier 3+ Encryption. An analysis of appropriate Encryption requirements is best performed during a Privacy Impact Assessment (PIA) or a Security Threat Risk Assessment (STRA).
- Encryption must be implemented as follows (multiple may apply):
§ IT Infrastructure Type Encryption Requirements 5.2.1 Databases that store High or Very High Risk Information Must be encrypted with Tier 3 Encryption where technically possible. 5.2.2 IT Infrastructure storing files containing High or Very High Risk Information Files must be encrypted with Tier 3 Encryption where technically possible. 5.2.3 Virtual servers and any IT Infrastructure that stores volumes as files in a host environment, such as: - Containers
- virtual disk or volume images
Volume files must be encrypted with Tier 2 Encryption where technically possible. 5.2.4 Servers and storage infrastructure located in data centres that: - comply with the Physical Security of UBC Data Centres standard; OR
- have an equivalent level of security, specifically:
- Data centres at other higher education institutions and health authorities, in Canada
- EduCloud
- Digital Research Alliance of Canada
- Other third-party data centres approved by the CISO
Storage infrastructure consists of non-mobile devices, such as Storage Area Networks (SANs), Network Attached Storage (NAS) devices, and Direct Attached Storage (DAS). This excludes mobile devices/media, which are covered under section 4.
No Tier 1 Encryption required, but files and databases are to be encrypted as per above. 5.2.5 Other IT Infrastructure than listed above Must be encrypted with Tier 1 or Tier 2 Encryption. - Regardless of the Encryption requirements in section 5.2, a higher tier of Encryption may be required to meet additional obligations such as contractual requirements.
- To limit vendor access to UBC Electronic Information, Encryption keys must be stored with UBC (and not the vendor) unless not technically possible.
Encryption of Workstations using Operating Systems other than Microsoft Windows and Apple macOS (e.g. Linux)
- Due to operability or performance constraints, Tier 1 Encryption is not always feasible. In those cases, any of the following alternative options are considered acceptable, in recommended order:
- Tier 2 Encryption on all volumes used to store UBC Electronic Information; or
- Tier 2 Encryption or equivalent encrypted Virtual Machine (VM); or
- a local home directory encrypted with Tier 2 or Tier 3 Encryption; or
- a securely mounted directory in a UBC Data Centre, e.g. TeamShare or Home Drive.
- University IT Support Staff must advise Users who implement any of the above options that:
- any user-accessible volumes that are unencrypted are not secure;
- the User must store all Medium, High or Very High Risk Information, including local replicated copies from cloud storage services (e.g. OneDrive), in one of the options listed in section 6.1; and
- the User should put Tier 1 Encryption in place as soon as it is feasible.
Encryption Exemptions
- The following types of UBC Systems are exempt from Encryption requirements if they are fully compliant with the Encryption Exemption Criteria and they have been documented in a completed and submitted Encryption Exemption Attestation Form:
- Direct Attached Storage (DAS);
- Containers;
- kiosks;
- public workstations;
- instructional lab workstations;
- instrument controllers; and
- lectern/podium workstations.
- If the UBC System cannot be encrypted and is not compliant with the Encryption Exemption Criteria, then a variance must be requested from the CIO, as per the Requesting Variances standard.
Password Requirements
- Strong passphrases or passwords must be used for Encryption in compliance with the Passphrase and Password Protection standard.
- If the password (also called a “key”) is forgotten or lost, the data may be unrecoverable. Therefore, it is essential to have a key recovery strategy. Where possible, faculty and staff should use a password safe (refer to the Password Safe guideline), or simply write down the password and store it in a secure location such as a safe. Further information about key recovery can be found in the Cryptographic Controls standard.
Technical Requirements
- UBC’s minimum Encryption standard is AES-128 bit Encryption or equivalent; AES-256 bit Encryption or better is recommended. Further technical requirements can be found in the Cryptographic Controls standard. University IT Support Staff, including staff in the IT Service Centre, are available to assist Users to implement these requirements where necessary.
Related Documents and Resources
- BC Freedom of Information and Protection of Privacy Act (FIPPA)
- Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
- How to Encrypt Files Using Common Applications guideline
- Transmission and Sharing of UBC Electronic Information standard
- Cryptographic Controls standard
- Working Remotely standard
- How to Encrypt USB Sticks and Other Removable Media guideline
- Security Considerations for International Travel with Mobile Devices guideline
- Reporting Cybersecurity Incidents standard
- Privacy Impact Assessment (PIA) and Security Threat Risk Assessment (STRA)
- Physical Security of UBC Data Centres standard
- Encryption Exemption Criteria
- Encryption Exemption Attestation Form (with CWL credentials)
- Systems for Encryption Exemption
- Requesting Variances standard
- Passphrase and Password Protection standard
- Password Safe guideline
- Case Studies in Encryption Requirements
Standard Last Revised: 2025-03